fix: precise IP matching, safe NAT cleanup, atomic full snapshot replace#287
Merged
ejc3 merged 1 commit intoreview-networkingfrom Feb 7, 2026
Merged
fix: precise IP matching, safe NAT cleanup, atomic full snapshot replace#287ejc3 merged 1 commit intoreview-networkingfrom
ejc3 merged 1 commit intoreview-networkingfrom
Conversation
- Use exact "inet <ip>/" pattern in is_ip_in_use_on_veth to prevent substring false positives (e.g., 10.1.1.1 matching 10.1.1.10) - Remove unsafe sysctl ip_forward=0 from cleanup_global_nat_if_unused to avoid breaking Docker/K8s/VPNs on the host - Apply rename-swap technique to full snapshot path (matching diff snapshot path) to prevent data loss on crash between remove and rename 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
claude-claude bot
pushed a commit
that referenced
this pull request
Feb 7, 2026
The doc comment still mentioned "disables ip_forward" but the code intentionally leaves ip_forward enabled after the fix in PR #287. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
ejc3
added a commit
that referenced
this pull request
Feb 7, 2026
Bridged networking needs net.ipv4.ip_forward=1, but fcvm shouldn't silently enable a system-wide sysctl. Instead, check and error with instructions if it's disabled. The Makefile setup-btrfs target and CI workflows already enable it as part of host setup. Also fix stale cleanup doc comment (ip_forward=0 removal was in #287).
ejc3
added a commit
that referenced
this pull request
Feb 7, 2026
Bridged networking needs net.ipv4.ip_forward=1, but fcvm shouldn't silently enable a system-wide sysctl. Instead, check and error with instructions if it's disabled. The Makefile setup-btrfs target and CI workflows already enable it as part of host setup. Also fix stale cleanup doc comment (ip_forward=0 removal was in #287).
ejc3
pushed a commit
that referenced
this pull request
Feb 7, 2026
The doc comment still mentioned "disables ip_forward" but the code intentionally leaves ip_forward enabled after the fix in PR #287. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
ejc3
added a commit
that referenced
this pull request
Feb 7, 2026
Bridged networking needs net.ipv4.ip_forward=1, but fcvm shouldn't silently enable a system-wide sysctl. Instead, check and error with instructions if it's disabled. The Makefile setup-btrfs target and CI workflows already enable it as part of host setup. Also fix stale cleanup doc comment (ip_forward=0 removal was in #287).
ejc3
pushed a commit
that referenced
this pull request
Feb 7, 2026
The doc comment still mentioned "disables ip_forward" but the code intentionally leaves ip_forward enabled after the fix in PR #287. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
ejc3
added a commit
that referenced
this pull request
Mar 2, 2026
Bridged networking needs net.ipv4.ip_forward=1, but fcvm shouldn't silently enable a system-wide sysctl. Instead, check and error with instructions if it's disabled. The Makefile setup-btrfs target and CI workflows already enable it as part of host setup. Also fix stale cleanup doc comment (ip_forward=0 removal was in #287).
ejc3
pushed a commit
that referenced
this pull request
Mar 2, 2026
The doc comment still mentioned "disables ip_forward" but the code intentionally leaves ip_forward enabled after the fix in PR #287. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
ejc3
added a commit
that referenced
this pull request
Mar 2, 2026
Bridged networking needs net.ipv4.ip_forward=1, but fcvm shouldn't silently enable a system-wide sysctl. Instead, check and error with instructions if it's disabled. The Makefile setup-btrfs target and CI workflows already enable it as part of host setup. Also fix stale cleanup doc comment (ip_forward=0 removal was in #287).
ejc3
pushed a commit
that referenced
this pull request
Mar 2, 2026
The doc comment still mentioned "disables ip_forward" but the code intentionally leaves ip_forward enabled after the fix in PR #287. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Auto-Fix for PR #283
Issues Fixed
Substring IP matching false positives (
bridged.rs) —is_ip_in_use_on_vethusedline.contains(ip)which matches IPs as substrings (e.g., checking10.1.1.1would match10.1.1.10or210.1.1.1). Fixed by matching the exactinet <ip>/pattern fromip -o addr showoutput.Unsafe
ip_forwarddisable on cleanup (portmap.rs) —cleanup_global_nat_if_unusedunconditionally setnet.ipv4.ip_forward=0when the last bridged VM exited, which could break Docker, Kubernetes, VPNs, or other services relying on IP forwarding. Removed this — MASQUERADE rules are still cleaned up, but forwarding is left enabled.Non-atomic full snapshot replace (
common.rs) — The diff snapshot path was correctly fixed to use rename-swap (move old to.old, then rename temp to final), but the full snapshot path still usedremove_dir_all+renamewith a crash-unsafe gap. Applied the same rename-swap technique.Changes
src/network/bridged.rs: Useformat!("inet {}/", ip)instead of bareipin the contains checksrc/network/portmap.rs: Removesysctl -w net.ipv4.ip_forward=0with a comment explaining why we don't touch itsrc/commands/common.rs: Apply rename-swap pattern to full snapshot path (matching diff snapshot path)Note
This supersedes #284 which addressed issues 1 and 2 but not issue 3.
Generated by Claude | Review Run